← 返回 Skills 市场
447
总下载
1
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install semantic-search
功能描述
企业级语义检索技能,支持表格/字段/文件搜索和 Text-to-SQL 数据生成
安全使用建议
This package appears to implement the advertised semantic-search functionality, but review carefully before installing:
- Expect to provide FlightSQL credentials; the skill will connect to your DB and run queries (Text-to-SQL may execute SELECTs). Provide a least-privilege DB account and limit network access.
- The code attempts to import project-level configs (utils.config) by adding parent paths to sys.path. That means the skill can pick up and use configuration files or credentials present in the surrounding environment — run it in an isolated container / sandbox to avoid accidental use of host secrets.
- The docs reference many optional external services (LLM endpoints, embedding/rerank services, internal IPs). If you supply LLM/embedding API keys or allow network egress, the skill will make outbound requests; audit those endpoints and restrict egress where appropriate.
- Dependencies are extensive and pull third-party libraries. Pin and audit dependency versions, and install in an isolated virtualenv or container.
- There are small inconsistencies (missing test module referenced in docs). Consider doing a quick code review of the text2sql and retriever modules and a dry-run in a non-production environment to confirm which external endpoints are actually called.
If you need this skill in production: run it with network egress controls, a restricted DB user, and with LLM/embedding credentials limited to test models/services until reviewed.
功能分析
Type: OpenClaw Skill
Name: semantic-search
Version: 1.0.0
The skill is classified as suspicious primarily due to a potential SQL injection vulnerability in `src/text2sql.py`. Although the `_is_valid_select_statement` function attempts to restrict SQL queries to `SELECT` statements and forbid DML/DDL commands, regex-based validation can be bypassed by sophisticated attackers, leading to unauthorized database operations. Additionally, the `PROJECT_CONFIG.md` file discloses internal network IP addresses for various services (e.g., FlightSQL, LLM, Embedding, Rerank, Nacos), which constitutes sensitive information leakage that could aid an attacker in internal reconnaissance. The skill also requires access to environment variables for sensitive credentials (database, LLM API keys) and performs external network calls, which, while necessary for its functionality, broaden the attack surface.
能力评估
Purpose & Capability
The skill name/description (enterprise semantic search, Text-to-SQL) aligns with the artifacts: it requires FlightSQL connection info and includes vector DB, retriever, and text2sql code. Minor mismatch: SKILL metadata declares only FLIGHT_DB_* as required env vars while documentation and code reference LLM/embedding/rerank configuration (LLM_API_KEY, EMBEDDING_API_KEY, base_url, etc.). This is plausible (DB credentials are mandatory; LLM/embedding may be optional or use local services), but the omission reduces clarity.
Instruction Scope
The runtime code and SKILL.md instruct the agent to read env vars and config files (config.yaml/.env) which is expected. However, main.py and other modules dynamically add parent project paths to sys.path and attempt to import utils.config.CONFIG from a project-level location — this can cause the skill to load configuration from outside the skill bundle (project configs, Nacos configs, or other local files), potentially exposing or using host-level secrets and endpoints. SKILL.md also references a test module (python -m src.test_search) that is not present in the bundle, indicating documentation/code drift.
Install Mechanism
There is no install spec (instruction-only for OpenClaw) and dependencies are listed in requirements.txt. That is lower installer risk than arbitrary downloads, but the dependency list includes non-trivial packages (dashscope, FlagEmbedding, bge-reranker, lancedb, adbc-driver-flightsql) which will pull code from PyPI and may require native builds or network access. No packaged install from unknown URLs was observed.
Credentials
Declared required env vars (FLIGHT_DB_HOST, FLIGHT_DB_PORT, FLIGHT_DB_USER, FLIGHT_DB_PASSWORD) are appropriate for a skill that queries a FlightSQL-backed vector DB. The repository and docs, however, reference additional credentials and internal endpoints (LLM API keys, embedding API keys, several internal IPs/URLs in PROJECT_CONFIG.md). Those additional credentials are not flagged as required in the top-level metadata, which is a documentation inconsistency — in practice Text-to-SQL and query enhancement will need LLM/embedding credentials or reachable local models.
Persistence & Privilege
The skill does not request always: true and has no special platform privileges. It does not appear to modify other skills or system-wide agent settings. Normal autonomous invocation is allowed (platform default).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install semantic-search - 安装完成后,直接呼叫该 Skill 的名称或使用
/semantic-search触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the semantic-search skill.
- Supports enterprise-level semantic search for tables, fields, files, and Text-to-SQL data generation.
- Integrates with LanceDB (FlightSQL) for vector/BM25 hybrid search.
- Provides rerank functionality, LLM-based intent recognition, and SQL generation.
- Includes workflow orchestration via LangGraph.
- Offers Python and OpenClaw invocation examples, performance indicators, and troubleshooting guidance.
元数据
常见问题
semantic-search 是什么?
企业级语义检索技能,支持表格/字段/文件搜索和 Text-to-SQL 数据生成. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 447 次。
如何安装 semantic-search?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install semantic-search」即可一键安装,无需额外配置。
semantic-search 是免费的吗?
是的,semantic-search 完全免费(开源免费),可自由下载、安装和使用。
semantic-search 支持哪些平台?
semantic-search 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 semantic-search?
由 Sevenal(@sevenal)开发并维护,当前版本 v1.0.0。
推荐 Skills